How to Stay Audit-Ready Across Global Jurisdictions
Regulatory updates
Audit-readiness
There is a particular kind of pressure that compliance teams at globally active businesses know well. It is the pressure of knowing that your business is being watched by more than one set of eyes, operating under more than one set of rules, and that a regulatory inspection in any one of your jurisdictions could arrive with little warning and demand evidence of how your controls work, not just that they exist.
Global audit readiness is not a single state you achieve and then maintain. It is a continuous operational posture that requires your compliance framework to be coherent, documented, proportionate, and retrievable across every jurisdiction in which you are regulated. And in 2026, the landscape you are navigating has become more complex than it has ever been, with significant regulatory transitions underway simultaneously in the EU, the United States, Australia, and Singapore, all of which have direct implications for what an audit will examine and how your evidence will be assessed.
This guide is written for compliance teams, MLROs, and senior managers at regulated businesses operating across multiple jurisdictions. We will cover what global audit readiness actually requires, how the major regulatory frameworks connect to it, where the common failure points are, and how to think about building compliance infrastructure that works for more than one regulator at a time.
Why Cross-Border Audits Are a Different Kind of Challenge
A compliance audit in a single jurisdiction is demanding enough. You need documentation of your policies, evidence of their consistent application, a functioning governance structure, and records that are accessible and retrievable within a reasonable timeframe. But when you operate across borders, the challenge multiplies in ways that are not simply additive.
Different regulators may ask the same question in different ways and expect the answer in different formats. Your beneficial ownership verification process may satisfy the EU's requirements under Regulation (EU) 2024/1624 but require a different documentation approach to satisfy AUSTRAC under Australia's reformed AML/CTF Act. Your transaction monitoring thresholds may be calibrated appropriately for your EU customer base but require separate calibration for your APAC business. Your record retention periods may differ between jurisdictions. And the governance accountability your EU supervisor expects at board level may be framed differently from what the Monetary Authority of Singapore requires under MAS Notice 626.
None of this is insurmountable. But it does mean that global audit readiness requires deliberate architecture rather than the assumption that a compliance framework designed for one jurisdiction will naturally extend to cover the others.
The Regulatory Architecture You Are Working Within
Before getting into the practical steps, it helps to map the key regulatory frameworks that shape global audit readiness for financial services businesses in 2026.
The EU: Harmonisation, AMLA, and the AMLR
The EU is in the middle of the most significant overhaul of its AML/CFT framework in a generation. Regulation (EU) 2024/1624, the Anti-Money Laundering Regulation, establishes the first directly applicable EU AML/CFT rulebook, replacing the directive-based system that allowed national variation. Regulation (EU) 2024/1620 established AMLA, the Anti-Money Laundering Authority, which has been operational since 1 July 2025. Directive (EU) 2024/1640 updates the national institutional framework, including the rules governing beneficial ownership registers and their interconnection.
AMLA's trajectory matters directly for global audit readiness. As AMLA has confirmed in its Single Programming Document 2026-2028, the authority will directly supervise 40 of the most complex high-risk financial institutions in the EU from 2028, with the selection process already underway in 2026. The data collection exercise to identify provisionally eligible obliged entities is in progress, with national supervisors collecting data by 15 August 2026. Institutions that operate on a cross-border basis and present higher ML/TF risk profiles are the primary candidates for AMLA direct supervision.
AMLA has also published draft Regulatory Technical Standards on group-wide requirements, which were the subject of a public hearing on 20 May 2026 attended by over 650 participants. These standards, covering the mandates under Articles 16(4) and 17(3) of the AMLR, will shape how cross-border financial groups are expected to implement AML/CFT obligations consistently across their group structure, including how policies flow from parent to subsidiary and how AML/CFT colleges are organised for cross-border supervision.
For EU-regulated businesses, this means audit readiness is no longer just about satisfying your home Member State supervisor. It increasingly means being prepared for scrutiny that may originate from, or be coordinated by, a supranational body with a genuinely harmonised methodology. The EBA confirmed that it will retain its AML/CFT powers until December 2025 to provide continuity, and continues to work alongside AMLA going forward. Supervisory expectations are not being relaxed during this transition. They are being raised and harmonised.
Alongside AML/CFT, DORA applies to EU financial institutions from 17 January 2025. As the EBA has confirmed on its operational resilience page, DORA introduces harmonised requirements for ICT risk management frameworks, incident reporting, and third-party risk management and testing. Under Article 28(3) of DORA, all financial entities subject to DORA are required to maintain a register of information covering all contractual arrangements with ICT third-party service providers, with no exception even for microenterprises. The European Supervisory Authorities published the first set of final draft technical standards under DORA, as confirmed by the EBA, covering ICT risk management frameworks, incident classification, third-party policy, and the register of information templates.
The US: Outcomes Orientation and Multi-Agency Oversight
In the United States, AML/CFT compliance operates through the Bank Secrecy Act, administered primarily by FinCEN. FinCEN's April 2026 proposed rule, jointly issued with the OCC, FDIC, and NCUA as confirmed by the FDIC, represents a fundamental reform of AML/CFT programme requirements, replacing the pillar-based structure with a single standard of an effective AML/CFT programme. This shift toward an outcomes orientation mirrors similar directions in the EU and Australia, and has significant implications for how cross-border businesses design and evidence their US compliance programmes.
For businesses operating in both the EU and the US, the structural differences remain important. The US framework is sector-specific and multi-agency. An audit exposure in the US may involve FinCEN, a prudential regulator, a state regulator, or the Department of Justice. Managing documentation and governance for that multi-regulator environment requires clear internal accountability for which team owns the relationship with each agency.
Australia: AUSTRAC Reforms and the Tranche 2 Expansion
Australia's AML/CTF reform programme is at a critical implementation point in 2026. The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 has been significantly reformed, with obligations for currently regulated entities updated from 31 March 2026. As AUSTRAC has confirmed in its regulatory priorities for 2025-26, AML/CTF obligations commence for Tranche 2 entities, including the legal profession, accountants, real estate agents, and jewellers, from 1 July 2026.
AUSTRAC has published transitional rules for 2026 that give some reporting entities more time to update their systems, processes, and AML/CTF programmes. However, AUSTRAC has been explicit that failure to manage ML/TF risks is a serious regulatory concern both now and after the reforms commence. Australia is subject to a FATF mutual evaluation commencing in 2026, which reinforces the urgency of the reform timeline and the expectation that institutions demonstrate genuine operational compliance.
Singapore: MAS and the July 2025 Revisions
Singapore's Monetary Authority of Singapore operates through its system of Notices and Guidelines. MAS Notice 626, the primary AML/CFT instrument for banks, was last revised on 30 June 2025 and took effect on 1 July 2025. The revised Notice formally includes proliferation financing within the scope of money laundering risk assessments and tightens suspicious transaction reporting timelines, with reports involving sanctioned parties now required within one business day. The guidelines to MAS Notice 626 reinforce senior management and board accountability as active compliance responsibilities, not passive governance obligations.
How to Build a Cross-Border Compliance Framework That Holds Up Anywhere
The practical goal of global audit readiness is to have a compliance framework whose core is robust enough to satisfy any major regulator while remaining flexible enough to accommodate the specific requirements of each jurisdiction you operate in. The following areas are where that framework needs to be genuinely strong.
A Single, Coherent Governance Architecture
The single most important structural feature of a cross-border compliance framework is that governance accountability is genuinely clear at both global and local level. This means you can answer the following questions confidently at any moment: who is the designated AML/CFT compliance officer or MLRO for each regulated entity? What is that person's reporting line and what authority do they have? Who at board or senior management level owns compliance responsibility for each jurisdiction? How do local compliance teams escalate issues to the group level, and how do group-level policy decisions flow down to local entities?
Under Regulation (EU) 2024/1624, obliged entities must appoint a member of the management body responsible for ensuring compliance, and the business-wide risk assessment must be approved by that management body. AMLA's draft RTS on group-wide requirements, which were the subject of a major public hearing in May 2026, are developing the specific obligations for how groups implement AML/CFT policies consistently across their structure. These standards will have direct implications for how cross-border financial groups document and demonstrate that their group compliance framework is coherent rather than fragmented.
For AUSTRAC-regulated entities, the reformed AML/CTF programme requirements similarly require board-level oversight and documented senior management accountability. MAS Notice 626 requires that the AML/CFT compliance function alerts senior management or the board if employees in line departments are failing to address ML/TF risks adequately. The governance expectation is substantively consistent across jurisdictions, even if the specific terminology and documentation requirements differ.
Jurisdiction-Specific Risk Assessments Built on a Common Methodology
A business-wide risk assessment that works for one jurisdiction will not automatically work for another. Different regulators have different expectations for how risk assessments are structured, what factors they cover, and how they connect to the controls in place. The approach that produces genuine cross-border audit readiness is to build a common risk assessment methodology at group level, with jurisdiction-specific inputs and outputs.
The common methodology should cover the risk factors that all major regulators care about: customer risk, product and service risk, geographic risk, delivery channel risk, and transaction risk. The jurisdiction-specific inputs should reflect the particular customer mix, regulatory environment, and risk typologies relevant to each market. And the jurisdiction-specific outputs should be documented in a format that meets the particular expectations of each supervisor.
AMLA is developing a common risk assessment methodology specifically for supervisory purposes. As AMLA has confirmed, the draft RTS on risk assessments specifies the data points and criteria that national supervisors will use to assess the entities they supervise, with the explicit goal that AMLA and national supervisors will have the same understanding of risks. This harmonised approach means that for EU-regulated entities, the risk assessment methodology will increasingly be standardised rather than left to individual institution design. Building your risk assessment to match that emerging standard now is a practical step toward audit readiness.
Customer Due Diligence Documentation That Is Consistent and Retrievable
Regardless of which jurisdiction your regulator sits in, the question an auditor will ask about any customer relationship is essentially the same: show me that you knew who this customer was, why they were doing business with you, what risk they presented, and how you monitored that relationship over time. The answer to that question lives in your customer due diligence documentation.
Cross-border audit readiness in this area requires that your CDD documentation is complete, consistent, and retrievable across all your jurisdictions. Complete means that every required step was completed and documented, not just that the customer was onboarded. Consistent means that the same risk classification methodology was applied across customer segments regardless of which jurisdiction they were onboarded in. Retrievable means that you can produce any customer file, within a reasonable timeframe, in response to a regulatory request.
For corporate customers in particular, beneficial ownership verification needs to be documented with sufficient detail to show that you used authoritative, primary-source data rather than self-certification. Under Directive (EU) 2024/1640, EU-regulated entities must check beneficial ownership information against the interconnected central registers and report any discrepancies they find. Under MAS Notice 626, banks must understand the ownership and control structure of non-individual customers. Under AUSTRAC's reformed framework, the shift to initial customer due diligence obligations reinforces the same principle.
Sanctions Screening That Covers All Relevant Lists in All Jurisdictions
Sanctions compliance is particularly complex for cross-border businesses because you are potentially subject to the restrictive measures of multiple jurisdictions simultaneously, and the lists are not identical. EU sanctions, issued through Regulations in the Official Journal of the European Union, apply directly to all EU-regulated entities. US OFAC sanctions apply to US persons and entities and to transactions in US dollars. Australian sanctions operate under their own legislative framework. And some business relationships may need to be screened against all of them.
The EBA's guidelines EBA/GL/2024/14 set out detailed requirements for EU-regulated institutions on internal policies, procedures, and controls for compliance with restrictive measures, and make clear that weak controls in this area expose institutions to legal risks, reputational damage, and significant fines. For cross-border businesses, the practical requirement is a screening system that can be configured to cover all relevant sanctions lists, documents how matches are handled and by whom, and maintains a complete audit trail of every screening decision.
MAS has specifically tightened its suspicious transaction reporting timeline for sanctioned parties to one business day under the revised MAS Notice 626. This is a genuinely demanding operational requirement that requires your screening system to be monitoring actively and continuously, not periodically.
DORA and ICT Risk Across Your Technology Stack
For EU-regulated financial institutions, DORA has introduced a layer of audit readiness obligations that goes beyond the AML/CFT framework. As the EBA has confirmed, DORA sets targeted rules on ICT risk management, incident reporting, digital operational resilience testing, and ICT third-party risk monitoring. Crucially, as confirmed by the EBA's Q&A on DORA obligations, all financial entities subject to DORA must maintain a register of information covering all contractual arrangements with ICT third-party service providers, with no exception.
For cross-border businesses, this means every compliance technology vendor, every cloud provider hosting your compliance systems, and every third-party data source feeding your screening or monitoring tools needs to appear in your DORA register. The ESAs published templates for the register of information as part of the first set of DORA technical standards. Using those templates consistently is part of audit readiness for any EU-regulated financial entity in scope of DORA.
Record Retention That Reflects the Requirements of Each Jurisdiction
One of the compliance areas where cross-border differences are most practically important is record retention. The standard retention period under Regulation (EU) 2024/1624 is five years from the end of the business relationship or the date of the transaction. AUSTRAC requires records to be kept for a minimum of seven years. MAS Notice 626 also specifies retention periods for customer and transaction records. And GDPR, which continues to apply to all personal data processing in the EU, introduces data minimisation obligations that can create tension with the duty to retain records for AML purposes.
Managing this across jurisdictions requires a clear data governance policy that maps each category of record to the retention period required in each jurisdiction where it is held or processed, and that documents the legal basis for retention where it exceeds what GDPR would otherwise require. This is not an area where a single global retention policy will always work. Different records may need different treatment depending on where the data subject is, where the business relationship was established, and which regulator has jurisdiction over the entity that holds the record.
Staff Training That Reflects the Regulatory Environment of Each Jurisdiction
Training records are a consistent target of regulatory review across all major jurisdictions. Auditors want to see that the people responsible for applying your controls actually understand what the controls are, why they exist, and what to do when something goes wrong. For cross-border businesses, this means your training programme needs to reflect the specific regulatory environment of each jurisdiction in which your staff operate, not just a generic global AML curriculum.
Regulation (EU) 2024/1624 requires that AML/CFT training is provided to relevant staff. AUSTRAC emphasises that compliance teams should be equipped to implement the reformed framework by the applicable deadlines. MAS's guidelines to Notice 626 specify that the AML/CFT compliance function is the contact point for domestic and foreign authorities, which implies a level of knowledge and operational readiness that extends beyond policy awareness.
Maintain training records that show who was trained, on what topics, on what dates, and what the training covered. Where jurisdiction-specific topics are covered, document that separately so you can demonstrate to each regulator that their specific framework was addressed.
The Audit Trail: Your Most Important Cross-Border Asset
If there is one capability that determines whether global audit readiness is genuine or cosmetic, it is the quality of the audit trail your compliance systems produce. In a cross-border environment, you may be answering regulatory questions from multiple jurisdictions simultaneously, and you may need to produce records from different systems in different formats on a compressed timeline.
The audit trail needs to be complete, meaning every step in every compliance process is logged with a timestamp and the identity of the person who took the action. It needs to be consistent, meaning the same process was applied to the same category of customer or transaction regardless of which entity within your group handled it. And it needs to be retrievable, meaning you can respond to a regulatory request within a timeframe that demonstrates operational competence rather than system inadequacy.
For cross-border businesses considering whether their current systems support this, a useful test is to ask: if three different regulators from three different jurisdictions each asked me tomorrow to produce the last twelve months of onboarding records for a specific corporate customer, all transaction monitoring alerts reviewed in connection with that customer, and the documented basis for the customer's current risk classification, could I do that within 48 hours? If the honest answer is no, that is a gap that needs to be addressed before the audit arrives.
Where Cross-Border Audit Readiness Most Commonly Breaks Down
Based on the regulatory findings and enforcement actions visible across the EU, US, and APAC, the same failure patterns emerge at globally active businesses.
Risk assessments are completed at group level but not adapted to reflect the specific risk environment of each jurisdiction, so the local assessment does not reflect what local auditors actually see in the customer base.
CDD documentation is strong in the home jurisdiction but inconsistent in newer or smaller markets where less resource was invested.
Training completion is tracked for the home market but patchy for overseas entities. Sanctions screening covers EU and US lists but misses jurisdiction-specific requirements in APAC markets.
Record retention policies are set globally without accounting for the longer minimum periods required in Australia or other jurisdictions.
And governance accountability for compliance in each jurisdiction is nominal rather than real, with responsibilities attributed to roles rather than named individuals with active oversight responsibilities.
None of these gaps are difficult to identify once you know to look for them. The problem is that they tend to be invisible until a regulator starts looking, at which point they become urgent.
About SpeedyDD
SpeedyDD is built for the complexity that regulated businesses face when they are trying to maintain audit readiness across multiple jurisdictions without compromising on the quality of their underlying documentation and verification. Our mission is to help complex, regulated businesses stay continuously audit-ready, not just in their home jurisdiction, but everywhere they operate and everywhere they are watched.
Frequently Asked Questions
What does global audit readiness mean in practice for a regulated financial services business?
Global audit readiness means that your compliance framework, including your policies, procedures, documentation, governance structure, and audit trail, is sufficient to satisfy any of your regulators, in any jurisdiction you operate in, at any given moment, without needing a period of intensive preparation before an inspection. It does not mean that your framework is identical in every jurisdiction. It means that the core is strong enough and the jurisdiction-specific adaptations are thorough enough that no regulator finds material gaps. In practice, this requires a single coherent governance architecture, a common risk assessment methodology with jurisdiction-specific inputs, consistent CDD documentation standards across all entities, and record systems that are retrievable on demand.
How does AMLA's selection process for direct supervision affect cross-border businesses operating in the EU?
As AMLA has confirmed, it has published a reporting package for the identification of provisionally eligible obliged entities, with national supervisors collecting data by 15 August 2026. The provisional list of eligible entities is expected to be finalised by end-September 2026, with direct supervision of the selected 40 institutions beginning from 2028. Cross-border financial institutions that operate in multiple EU Member States and present higher ML/TF risk profiles are the primary candidates. If your institution may be among those selected, the supervisory scrutiny you will face from 2028 will be AMLA-led rather than nationally led, with AMLA applying a common risk assessment methodology across all directly supervised entities. Preparing for that transition means ensuring your group-wide compliance framework is coherent and documented to the standards AMLA is now developing through its regulatory technical standards.
What is the DORA register of information and who needs to maintain it?
Under DORA Article 28(3), all financial entities subject to DORA must maintain a register of information covering all contractual arrangements with ICT third-party service providers. There are no exceptions to this obligation, even for smaller entities or microenterprises. The ESAs have published implementing technical standards specifying the templates for the register of information, and the first submission of this data to supervisory authorities was due by 30 April 2025. For cross-border businesses, every technology vendor supporting your compliance operations in any EU jurisdiction needs to be included in this register.
How do retention periods differ across major jurisdictions and how should businesses manage this?
The standard retention period under Regulation (EU) 2024/1624 is five years from the end of the business relationship or the date of the transaction. Australia's AML/CTF framework requires records to be kept for a minimum of seven years. MAS Notice 626 specifies its own retention requirements for customer and transaction records. Managing this across jurisdictions requires a clear data governance policy that maps each category of record to the applicable retention period in each relevant jurisdiction and documents the legal basis for retention, particularly where AML retention obligations create tension with GDPR data minimisation requirements under Regulation (EU) 2016/679. A single global retention period set at the highest common denominator is one practical approach, provided it is properly documented and the GDPR legal basis for retention is explicitly established.
What should a cross-border business do first to improve its global audit readiness?
The most effective starting point is an honest gap assessment across all your regulated jurisdictions. This means mapping the specific obligations of each jurisdiction against what your current framework actually provides, and identifying where the gaps are. The most commonly identified gaps in cross-border businesses are: risk assessments that are not adapted to each jurisdiction's specific risk environment; CDD documentation that is inconsistent across entities; sanctions screening that does not cover all relevant lists in all jurisdictions; training records that are incomplete for non-home jurisdictions; and record systems that cannot be interrogated efficiently to produce customer files or transaction records on short notice. Once you know where your gaps are, you can prioritise remediation based on which gaps present the greatest regulatory exposure and which jurisdictions have the most active supervisory activity.
How should a business manage governance accountability for compliance across multiple jurisdictions?
The principle that works across all major regulatory frameworks is that accountability must be clear, named, and active at both group and local level. At group level, the group compliance function or Chief Compliance Officer should own the overall compliance framework and ensure it is coherent across all entities. At local level, each regulated entity must have a designated compliance officer or MLRO with clear authority and reporting lines. The relationship between group and local compliance needs to be documented, including how group policies are adopted locally, how local issues are escalated, and how local findings are reported to the group level. Under AMLA's draft RTS on group-wide requirements and under Regulation (EU) 2024/1624, this documentation will increasingly be assessed against a harmonised EU standard. The same principle of clear, documented governance accountability applies under AUSTRAC's reformed framework and under MAS Notice 626.
How does the risk-based approach apply differently across the EU, US, and APAC frameworks?
All three major regulatory frameworks are built on the risk-based approach recommended by FATF, meaning that the depth and intensity of compliance controls should be proportionate to the actual risk presented by each customer, product, and geography. The differences lie in how regulators assess whether your calibration is appropriate. In the EU, AMLA is developing a common risk assessment methodology through its regulatory technical standards, which will give supervisors a shared benchmark for evaluating whether an institution's risk-based approach is adequate. In the US, FinCEN's April 2026 proposed rule explicitly moves toward an outcomes effectiveness standard, meaning regulators will assess whether your risk-based programme actually works rather than whether it has the required components. In Australia, AUSTRAC's outcomes-oriented model similarly focuses on whether ML/TF risks are genuinely managed. The practical implication for cross-border businesses is that the risk-based approach must be evidenced, not just documented, in every jurisdiction.
What role does technology play in maintaining global audit readiness?
Technology is essential infrastructure for global audit readiness, not an optional enhancement. The volume and complexity of compliance obligations across multiple jurisdictions cannot be managed reliably through manual processes and disconnected systems. The specific functions where technology support is most critical are customer due diligence and KYB verification using primary-source registry data, dynamic risk scoring that reflects real-time information rather than static onboarding assessments, sanctions screening that is calibrated, documented, and covers all relevant lists, transaction monitoring that is proportionate to your actual risk profile and generates reviewable audit trails, and record management that allows you to retrieve any customer file or transaction record efficiently. Under DORA, the technology you use is itself subject to regulatory requirements, and under GDPR, the data processed within your compliance systems must be handled with appropriate security and access controls.
